You Probably Agreed to NSA Snooping When You Accepted That Website’s Terms of Service

Maybe we shouldn't be so shocked about PRISM, considering we grant companies like Facebook, Google and Apple incredible leverage to hand over our data to government agencies the moment we accept their terms of service agreements.

Everyone from Mark Zuckerberg down to the average Facebook user has expressed surprised outrage at the existence of PRISM, a top-secret government program that the National Security Agency uses to access user data from at least nine major Internet companies in order to target foreign threats. But maybe we all shouldn’t be shocked at all, considering we grant companies like Facebook, Google and Apple incredible leverage to hand over our data to government agencies the moment we accept their privacy policies and terms of service agreements.

Tucked away in those long paragraphs of legalese on pretty much every major Internet website (including Time.com) is a clause about how a business will handle your private data when the feds come knocking. In general, these companies grant themselves wide latitude. Yahoo says it might hand out your data to investigate or prevent “situations involving potential threats to the physical safety of any person.” Facebook will respond to a court order, search warrant or other legal request “if we have a good faith belief that the law requires us to do so.” Apple provides user data to government agencies if “for purposes of national security, law enforcement, or other issues of public importance, disclosure is necessary or appropriate.”

It’s unclear whether even this kind of vague legal verbiage opens the door for a program as sweeping as PRISM has been reported to be. The exact nature of the data collection program is still unclear. Initial reports in The Washington Post and The Guardian painted a picture of a Big Brother-esque surveillance apparatus with unfettered access to massive amounts of data. The Director of National Intelligence responded by saying that all data acquired through the program, which targets only terrorist suspects who are not in the U.S., was lawfully obtained but through secret court orders made possible under the Foreign Intelligence Surveillance Act. A New York Times report last week fell somewhere in the middle, describing a “locked mailbox” for the NSA on tech companies’ servers where the government could routinely ask for the data it sought in its investigations. All the companies steadfastly deny any involvement in the program and say the government doesn’t have direct access to their servers.

Whatever the case, the now-acknowledged program takes data collection to a scope beyond what many users likely expected and possibly beyond what some companies’ terms of service allow. There’s a fine distinction between providing government officials private data when compelled to by a legal document like a court order and helping them to circumvent traditional legal channels. “If they say [they] only ever give up your data when compelled to do so by the government, but then it turns out they actually turn over your data routinely whenever the government says hello, then there might be a claim you could bring under the [Federal Trade Commission] Act,” says Andy Sellars, a staff attorney for the Digital Media Law Project based at Harvard University.

Such a contradiction could qualify as a deceptive trade practice under FTC rules. Companies have gotten in trouble for violating their own privacy policies before. In 2011, Google was forced to revamp its privacy policy and face regular independent privacy audits for 20 years because of “deceptive tactics” used in the rollout of failed social network Google Buzz. The company was hit with a $22.5 million penalty last year for misrepresenting privacy assurances to users of the Safari Internet browser. Microsoft and Facebook have also run afoul of the FTC for making false promises in their privacy policies. Still, the FTC has never levied a punishment that truly impacted a tech giant’s bottom line—that $22.5 million Google fine, the largest ever obtained by the FTC, is equivalent to the revenue the company generates in about four hours.

Individual consumers might also take aim at the PRISM companies, but their chances of success are slim. In 2006 when similar revelations about widespread government surveillance of telecommunications data came to light, Verizon was sued for $50 billion in a class-action lawsuit. But in 2008 Congress granted retroactive immunity to the telecom companies that were involved in surveillance programs, freeing them from legal culpability. Similar measures could be taken to protect Internet companies so that details of the PRISM program aren’t brought to light in a public court. According to the original Washington Post story, in fact, these companies already have immunity.

Of course, all of this only applies to the U.S. legal system. Companies like Google and Facebook have huge international customer bases, and PRISM is targeted squarely at non-Americans. In the European Union, where laws regarding the use of people’s personal data are more stringent than in the U.S., experts say that these Internet companies could face lawsuits.

Even if they do avoid legal trouble, tech companies–whose entire business models hinge on convincing users that their data is safe and secure–have every reason to want the PRISM story to go away as fast as possible. Google is now asking the White House for permission to publish information about the number of secret national security data requests it receives in its annual transparency report about government demands for user information. Facebook, which has never published a transparency report, is suddenly excited by the idea and also wants to include information on national security data requests. Microsoft and Twitter are on board too.

Increased transparency from the government and the Internet giants would also help users to understand just how public their private online communications can quickly become. The clues are all right there in the fine print. “I’d be surprised to see an organization say that they simply never gave over your information to anyone at anytime,” Sellars says. “They simply can’t guarantee that.”